WP Go Maps Vulnerability – Reflected Cross-Site Scripting – CVE-2023-6697 | WordPress Plugin Vulnerability Report
Plugin Name: WP Go Maps (formerly WP Google Maps)
Key Information:
- Software Type: Plugin
- Software Slug: wp-google-maps
- Software Status: Active
- Software Author: wpgmaps
- Software Downloads: 22,527,179
- Active Installs: 400,000
- Last Updated: January 23, 2024
- Patched Versions: 9.0.29
- Affected Versions: <= 9.0.28
Vulnerability Details:
- Name: WP Go Maps (formerly WP Google Maps) <= 9.0.28 - Reflected Cross-Site Scripting
- Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CVE: CVE-2023-6697
- CVSS Score: 6.1 (Medium)
- Publicly Published: January 23, 2024
- Researcher: Nex Team
- Description: The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to, and including, 9.0.28 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Summary:
The WP Go Maps plugin for WordPress has a reflected cross-site scripting vulnerability in versions up to and including 9.0.28 that could allow unauthenticated attackers to inject malicious scripts. This vulnerability has been patched in version 9.0.29.
Detailed Overview:
The WP Go Maps plugin before version 9.0.29 does not properly sanitize or escape the map id parameter on affected pages. This allows attackers to inject arbitrary JavaScript that will execute in a victim's browser when they visit a crafted link. For example, an attacker could send a link that when clicked, injects code to steal cookies or session information. This could lead to account compromise or other attacks. The vulnerability is fixed in version 9.0.29 through improved input validation and output encoding.
Advice for Users:
- Immediate Action: Update to version 9.0.29 or later to mitigate this vulnerability.
- Check for Signs of Compromise: Review browser logs and site files for unauthorized code injections or other malicious activities.
- Consider Alternatives: While an update is available, consider alternative mapping plugins as a precaution.
- Stay Updated: Enable automatic background updates in WordPress to ensure plugins stay updated.
Conclusion:
The quick response by WP Go Maps developers to address this vulnerability is reassuring. Users should ensure they are running version 9.0.29 or later to fully protect their sites. Prompt updates are key to staying secure.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-google-maps
Detailed Report:
Keeping your WordPress website secure should be a top priority – allowing vulnerabilities to persist can put your entire site at risk. Unfortunately, the popular WP Go Maps plugin has a reflected cross-site scripting vulnerability in all versions up to and including 9.0.28. This vulnerability, dubbed CVE-2023-6697 with a severity rating of 6.1 out of 10, makes it possible for hackers to inject malicious code onto vulnerable websites.
About WP Go Maps:
WP Go Maps is an actively maintained and widely used WordPress plugin with over 22 million downloads and 400,000 active installs. It provides customized Google Maps functionality to websites. The plugin is developed by wpgmaps and the latest version prior to the vulnerability patch was version 9.0.28.
Details of the Vulnerability:
The vulnerability allows unauthenticated remote attackers to inject arbitrary malicious JavaScript code into vulnerable WP Go Maps web pages. This occurs because the plugin fails to properly validate or encode user input from the map ID parameter. By tricking a user into clicking a specially crafted link, attackers can execute scripts in the victim's browser to steal session cookies, site data, or take other malicious actions.
Risks and Impacts:
This reflected cross-site scripting vulnerability puts WP Go Maps sites running v9.0.28 or earlier at risk of:
- Account/Admin compromise through stolen credentials
- Defaced or altered webpages
- Injection of unwanted advertising or spam
- Browser exploitation and further malware downloads
How to Patch:
The WP Go Maps team has addressed this vulnerability by releasing version 9.0.29. Users should immediately update to the latest patched release. Enabling auto-updates can also help prevent future vulnerabilities going unpatched.
Previous Vulnerabilities:
WP Go Maps has had over 10 previously disclosed vulnerabilities since October 2014, indicating multiple past security issues. This underscores the importance of prompt patching for plugin users.
Don't tackle WordPress security alone - the consequences of a breach are too great. At Your WP Guy, our managed WordPress maintenance services include layers of protection like auto-updates, malware scanning, firewalls and 24/7 monitoring by WordPress experts. We become your outsourced IT team.
Let's chat about migrating your site to our managed hosting so you can finally stop worrying about security issues. We'll fully audit and lock down your site as part of onboarding. Call us at 678-995-5169 to keep your business safe online.